RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


A Practical Approach to Threat Modeling : Page 4

Protecting your systems requires more than just a firewall and a password; you need a documented process.

Identify Vulnerabilities Using STRIDE
STRIDE is an acronym for a process developed by the Microsoft Application Consulting and Engineering Team to represent various methods by which an adversary may attack a system. STRIDE encapsulates:

  • Spoofing Identity: In this attack, adversaries falsely represent themselves as valid user entities. For example, having obtained the login of a system administrator, the attacker gains access to system data, giving them free rein to execute further attacks.
  • Tampering with Data: Using this method of attack, an adversary successfully modifies or deletes data within the system. An example would be when an adversary gains access to the system database and deletes all the client records.
  • Repudiation: This method identifies whether or not an adversary can attack a system without detection or evidence that the attack occurred. An example would be an adversary who performs a "tampering with data" attack without leaving any trail indicating that the data had been compromised.
  • Information Disclosure: In this attack method, an adversary gains access to data not within their trust level. Such data may include system information that may facilitate further attacks.
  • Denial of Service: Using this method of attack, an adversary causes a system to be unavailable for valid user entities. An example would be an adversary who executes a shutdown command to a file server.
  • Elevation of Privilege: This type of attack increases the adversary's system trust level, permitting additional attacks. An example would be an adversary who enters a system as an anonymous user entity but is able to obtain the trust level of a system administrator.
Understanding these methods guides the process of threat analysis and helps identify potential system vulnerabilities. Table 5 shows the STRIDE assessment for the three root threats identified for the member data asset.

Table 5. STRIDE Assessment: The table shows the STRIDE Assessment for three root threats to the sample system.
ID Description S T R I D E
1.0 View confidential member data. X   X X    
2.0 Manipulate member data.   X     X X
3.0 Render member data unavailable.         X  

Rating Threats with DREAD
Another anachronism developed by the Microsoft Application Consulting and Engineering Team, called DREAD, provides a means to rate threats identified through STRIDE and threat trees. DREAD stands for:

  • Damage Potential: Defines the amount of potential damage that an attack may cause if successfully executed.
  • Reproducibility: Defines the ease in which the attack can be executed and repeated.
  • Exploitability: Defines the skill level and resources required to successfully execute an attack.
  • Affected Users: Defines the number of valid user entities affected if the attack is successfully executed.
  • Discoverability: Defines how quickly and easily an occurrence of an attack can be identified.
You should keep the rating system simple. For example, a rating scale ranging from one to three would be effective. For example, a Damage Potential rating of one would indicate that if the specific attack were successfully executed that the resulting damage would be minimal.

While these ratings are somewhat subjective, they should be based upon the experience of the Threat Modeling Team members as well as the careful evaluation of the threat trees that have been assembled. The value of rating threats allows the Threat Modeling Team to determine the risk associated with them as well as the priority of their mitigation.

Table 6 shows the DREAD ratings for the three root threats identified in the sample music CD library system.

Table 6. DREAD Ratings: Using a three-point scale, here are the DREAD ratings for the sample music CD Library system.
ID Description D R E A D Total
1.0 View confidential member data. 1 1 1 1 1 5
2.0 Manipulate member data. 3 1 1 1 2 8
3.0 Render member data unavailable. 2 1 1 3 3 10

As identified in the "Total" column, root threat 3.0 represents the highest total DREAD rating; therefore it should be atop the priority list for mitigation.

Determining Risk Appetite
Mitigating all threats and vulnerabilities—even assuming they can be identified—can be very expensive both in monetary and human resources. In some cases, the current system architecture may make mitigation impossible without a complete re-design. It is at this point that the evaluation of the risk appetite of the client comes into the picture.

The considerations for determining client risk appetite are:

  • The value of the asset being evaluated: For example, a million-dollar solution that mitigates a threat to a database containing a list of baseball cards does not make good business sense; while the same mitigation for a database that contains critical information for a patented medication is certainly reasonable.
  • The cost of mitigation compared to the potential loss if an attack is successful: This is very similar to the previous consideration although it approaches the question from a return on investment perspective. If the potential loss is reasonably less than the cost of mitigation then it may be worth taking on the risk rather than mitigating the threat.
  • The likelihood of an attack: If executing a threat requires a high level of expertise and a large investment in materials, it may be worth taking on this risk.
  • DREAD priority ratings: A low DREAD rating indicates that the risk for an attack is fairly low and may be worth accepting.

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date